hanbot: on the mp-wp newsfront, i've a pressed genesis via phf's lastest leftwards/keccak vtools. am waiting on pizarro folks to get apache & mod_rewrite going so i can test it and see to the initial patches it'll need.
trinque: mircea_popescu: sure am, oughta be able to get things squared shortly, couple days
ckang: mircea_popescu: hes just worried about his nick being associated with a group that calls themselves a terrorist organization, I suggested that he maybe create an alt nick for the purpose of the discussion and also told him it would be a great review of the project since you all know a good bit about the stuff
ben_vulpes: okay now for the next wtf: phpinfo returns instantly, i can open a database connection from php and query for the number of tables, but when i use the mp-wp index.php shit slows to a 2.7 second crawl
ben_vulpes: i must actually be too thick to configure an mpwp lamp stack.
mimisbrunnr: Logged on 2018-04-12 06:49 ben_vulpes: hanbot danielpbarron: apache with mod_php is, sadly, much slower than the nginx setup we've had until now. however now we can move forward with getting your .htaccess files set up and uploads and such. i'm going to knock off for now but please let me know how i can support your mp-wp projects next.
mircea_popescu: it has nothing to do with apache ; let everyone who isn't hanbot fix their mp-wp
mircea_popescu: ideally by getting her genesis pressed once she puts it out.
ben_vulpes: mircea_popescu: nginx can serve hanbots in .01s, not the .6 of apache
zx2c4: hello. mircea_popescu asked me to come here for two hours to field some questions about wireguard from you all. i'm not very familiar with this channel or the community in it, but i am happy to talk to whomever about wireguard. so let's start the timer now?
zx2c4: it's small, minimal, has the flexibility to be exactly what i needed and nothing larger. makes conservative choices. fits into the security model i was aiming for with the implementation properties i was looking for. i was also involved with noise from very early on, so several concerns and needs i had with wireguard got factored into noise. and since noise is a very interesting framework, it's now receiving much needed academic attention in
zx2c4: wireguard is supposed to be implementable using simple algorithms with as small of a state machine as possible, so that the code size and complexity is kept at a minimum. in otherwords, it aims to be easily auditable so that people can actually read it and feel confident that it doesnt have horrible vulnerabilities. with massive codebases and highly complex designs like openvpn or ipsec, this obviously isnt possible. so with wireguard i was trying
zx2c4: to make something that would make this all possible
zx2c4: then on top of that i wanted a few nice properties:
zx2c4: - silent to unauthorized packets. if you dont know there's a wireguard endpoint there and don't have credentials to talk to it, you can't get it to respond to anything. so, you cant scan for endpoints. this makes it a good thing to put on the outer edge of your network.
zx2c4: - minimal state machine, as mentioned above, which means 1-RTT: if something goes wrong with a message being dropped, the solution is always to just "start over the protocol", since it's only 1-RTT. this saves amazing amounts of complexity
zx2c4: - no dynamic memory allocation. all the memory used by wireguard should be allocated at configuration time, not in response to incoming packets.
zx2c4: - denial of service resistance. as mentioned, you should be able to put this on the outer edge of a network
zx2c4: asciilifeform: oh cool. i havent seen this ill take a look
asciilifeform: zx2c4: don't go away yet plz. i'd like to ask a few q re your crypto design
zx2c4: - the whole cryptokey routing table thing is very important for making things extremely simple. it pairs the identity of a public key with the ip address someone is allowed to be inside the tunnel. no fancy security marks or whatever from ipsec bloat
zx2c4: asciilifeform: i agreed to stick around for 2 hours. worry not. :P
asciilifeform: zx2c4: why did you select diffie-hellman ? ( vs e.g. rsa )
zx2c4: ive got some more design properties to enumerate if you'd like, but i can answer your direct questions too
asciilifeform: zx2c4: carry on, but after that let's come back to DH
zx2c4: KEMs like RSA are more complicated to implement in as few round trips as DH-based protocols
zx2c4: - wireguard isn't chatty. when you're not sending traffic, it shuts up and you cant tell its there
asciilifeform: how's that ? you can encipher a symmetric key in an rsagram , and that's 1 packet. then 1 packet back to ack receipt. neh ?
zx2c4: - wireguard doesnt expose any state to the administrator. there's either an interface or there isnt. theres no concept of "connection". with a very simple timer state machine, we're able to completely hide all details from the sender side
zx2c4: so for the handshake we want these properties in 1-RTT:
asciilifeform: ( i grasp the connectionless scheme , having prototyped a similar item )
zx2c4: - authentication in the first message, so that unauthenticated packets arent replied to, hence ensuring things are stealthy
asciilifeform: btw zx2c4 , i must regret to inform you that the code you linked, is in fact NOT constant-time on several common architectures, because it makes use of machine MUL instruction ( gcc will compile a nonconstant-operanded '*' to e.g. IMUL on x86 )
zx2c4: aes is also well understood, but is neither easy to implement, simple, nor fast on all hardware
asciilifeform: zx2c4: does it bother you that no proof of strength for any symmetric cipher other than otp (e.g. aes, chacha, etc ) exists ?
zx2c4: not anymore than other things in cryptography worry me
asciilifeform: ( i.e. a reduction to np-hard or for that matter ANY particular complexity class )
zx2c4: things like RSA boil down to number theory problems. but that's in a sense scarier than the set of problems that good block ciphers tend to boil down to. because it means that those primitives have lots of _structure_, and generally structure is something that can be exploited. just look at all the amazing and fantastic attacks on things with structure. so just boiling down to a [currently considered] "hard problem" doesn't provide as much solace
zx2c4: seems like there are many places and interesting ways to optimize at this point. lots of neat creative work coming out. but that with aes and whatnot, we're in a pretty good place in terms of symmetric crypto
asciilifeform: several yrs ago i went in search of ~any~ problem that can be shown to have a ~nphard average case~ . and found none.
a111: Logged on 2018-04-12 16:32 mircea_popescu: now let's look at the logs :
mircea_popescu: you can click the link and see a website-based story of the log ; the bot also reads the line referenced in conversation.
zx2c4: if you guys wind up using wireguard for part of your infra and want to support wireguard for a year, i'm always looking for large donations, etc. not sure if that's what deedbot is for exactly but that would be quite the nice deed
mircea_popescu: this is a lot more than meets the eye ; because it actually restructures conversations into a tree. things here have a depth not encountered anywhere else.
mircea_popescu: http://deedbot.org/ << on deedbot you can register any arbitrary item ; it keeps a record that indeed your signature did so ; and it marks the time, through inclusion in the bitcoin blockchain
mircea_popescu: so it permits indefeasible record of deeds ; something the fiat sovereigns have not yet managed.
a111: Logged on 2018-04-12 08:33 ckang: granted im sure things are progressing, but its hard to outperform something from a billet of aluminum
mircea_popescu: speaking of which and ben_vulpes boyhood dreams, ssto and so on : i dreamt last night that someone actually managed to create that true wunderwaffen material, the composite/ceramic with higher tensile strength than steel, but negligible caloric conductivity. making some iiiincredible jet engines.
mircea_popescu: http://btcbase.org/log/2018-04-12#1796976 << you know me. he doesn't know you. this makes all the difference in the world -- i can whip my slavegirls into shape because they ~love me~. people without this benefit are stuck going at snail speed, which is why "education" in the unsexualized way it's implemented publicly does not work. it couldn't fucking work.
a111: Logged on 2018-04-12 09:42 spyked: http://btcbase.org/log/2018-04-12#1796749 <-- that's probably my thing, I've been playing with it for the last two weeks or so, I have it in a loop grabbing feeds from republican blogs.
asciilifeform has 1 more q for zx2c4 , after mircea_popescu finishes
zx2c4: well im still around here for another half hour or so, so feel free to lob anything more at me
a111: Logged on 2018-04-12 15:36 zx2c4: - minimal state machine, as mentioned above, which means 1-RTT: if something goes wrong with a message being dropped, the solution is always to just "start over the protocol", since it's only 1-RTT. this saves amazing amounts of complexity
a111: Logged on 2018-04-11 16:11 asciilifeform: mircea_popescu: picture if the selector on kalash had a 'fires backwards' position.
zx2c4: noise defines several different handshakes. wireguard uses Noise_IKpsk2, which is 1-RTT. But there are other noise handshakes, some of which are 0-RTT, 1-RTT, 2-RTT, 1.5-RTT, and so forth. each handshake message can optionally contain a payload -- to contain things like, say, certificates or other data. the question is at which stage of the handshake do you use the payload parameter? if you do it too early in some, you get zero confidentiality. so
zx2c4: this is spelled out explicitly in the section you mentiond
zx2c4: but there's certainly not any "null-ciphering" and this is only a misunderstanding of what the specification says
asciilifeform: i understand the bare fact, zx2c4 . my question is, why do you think the protocol author permitted an unsecured mode as a valid mode of operation ?
asciilifeform: what's the justification, for permitting it at all
mircea_popescu: asciilifeform seems to me the case to be, that they defined a matrix, and then implemented all the cells, and fuck you if you pick a dumb cell.
zx2c4: there are valid use cases of sending information in the clear in the payload parameter. for example, perhaps you want to use it to advertise which aspects of the protocol are valid for subsequent messages. or you want to send a certificate along to authenticate yourself. the payload parameter certainly shouldnt be confused with transport messages, which are what are allowed after the handshake completes
mircea_popescu: the ready argument for doing it this way is simplicity.
zx2c4: this is not the case of the "null mode" in IPsec, which is obviously a complete disaster with no good justification
asciilifeform: mircea_popescu: what i see is, the cell is there, but there is no indication that it is connected , as it ought to be, to red lights, siren, and dropping of reactor moderator rods
zx2c4: because IPsec's null cipher mode is for transport data. what youre asking about with 7.4 is the payload parameter of the handshake messages
zx2c4: one thing to keep in mind is that Noise isn't a single ready-made protocol for every application designer to take. its instead a protocol framework for protocol designers to use. knowing explicitly what the payload param gives you in each message is really important, so that you dont screw up and put your stuff somewhere it shouldnt be. there are legitimate protocol use cases for using the payload parameter early on during the handshake. its
zx2c4: important to then know what level of confidentiality you get there
mircea_popescu: so in no case a dizzy operator could naively set up noise 7.4 so as to send his payloads in plaintext.
mircea_popescu: this is principally enforced by dizzy operators not touching the framework in the first place, but only given implementations of it.
zx2c4: pretty unlikely that somebody would design a protocol inadvertently that way
zx2c4: every time i send you something, i expect to hear back from you. if i dont hear back from you, then something bad has happened,and i should start over with a new handshake. my way of hearing back to you might be in the natural sense -- i send a TCP SYN, you send me back a TCP ACK -- or it might be the case that you actually just have nothing to send back to me. you got my message just fine, but really just cant think of anything to say back to me.
zx2c4: in this case, its important that you send me a keepalive, so that i know you at least got it. however, these keepalives arent persistent. if subsequently, i have nothing more to say to you, then we both go silent and dont say anything.
mircea_popescu: why am i held to explain how a protocol breach can be elevated to arbitrary height ? the attracker FIND SOMETHING
zx2c4: there _are_ attacks, on say voice compression algorithms, which can gather some information from having precise sizes alone, which is why things are padded to nearest 16. but i dont see what would be gathered by what youre suggesting
asciilifeform: zx2c4: speaking in general of symmetric ciphers -- a known-plaintext instance anywhere in the stream, or even a means of narrowing down possible plaintext, makes for considerably cheaper break
mircea_popescu: well, for instance, if i know six nodes in your network and know asciilifeform uses at most two, and i see those are not transmitting, i know he's asleep and send the titassassins.
zx2c4: mircea_popescu: an attacker can also distinguish between a length 15 message and a length 31 message. i still maintain this doesnt give an attacker anything useful
zx2c4: then thoes keepalives are in response to some message he received
asciilifeform: zx2c4: the distinguishability of keepalives also makes it considerably easier to carry out timing attack on your nonconstanttime ecc engine
mircea_popescu: in any case, cryptography comes in two sorts : sort a), known here as "this must be secure, it's so confusing to me", and sort b). the moment you say "i can't see what this gives attacker" you force-shove yourself in group a. it's not your business to know the attacker, that's the whole fundamental philosophy of ciphering, that you do not need to know the attacker.
asciilifeform: because i can tell when a particular message has been received and ack'd
zx2c4: the ecc is constant time. but anyway the transport layer doesnt use any ecc
mircea_popescu: anyway, the point here isn't that padded protocols infoleak in multiples of the paddiong., the point is that 0 is a special case invariant, and yhou can never leak a multiple of 0 safely. because, again, a message of arbitrary length n can be presented as m messages of length k ; but 0 messages can never carry anything.
mircea_popescu: one thing at a time : if an attacker observes a stream of n messages of lengths != 0, there is nothing he can infer : maybe they're part of one message, or maybe they're not, or maybe they don't even say anything.
mircea_popescu: if however he observes a stream of n messages of length = 0, he can infer nothing was said.
zx2c4: with many TCP protocols you can infer what's behind it based on the length
mircea_popescu: this reduces your strength, like it or not, because ~attacker inferred something~. that's what strength is, "attacker doesn't infer". see the history of the concept of "ban" and hopw turning bamburismus'd.
zx2c4: i suppose your point is that you _could_ choose to obscure the lengths of the messages youre sending back? whereas with zero that isnt a possibility?
mircea_popescu: the problem is fundamental, though. the same EXACT thinking informs this problem as informs the earlier discussion with asciilifeform over null ciphers.
mircea_popescu: you have to get it in your head, that 0 is an invariant, and permitting it is always dangerous, because it's not "just another number".
mircea_popescu: and saying "multiples of k : 0, 8, 16" is NOT an enumeration of "similar things". 0 is dissimilar to everything else.
mircea_popescu: anyway, as to the other one : v is the republican... well many things, but also works as a versioning system. here's a pretty picture to help the notion along : http://btcbase.org/patches << you can select from the drop menu to the left, see vaqrious trees extant. you can click on any item to see the patch it represents.
zx2c4: linus has never been so happy about other languages in the kernel. for example, he rejected a C++ layer many years ago
asciilifeform: i'ma cheat and cite my own article, http://www.loper-os.org/?p=1913 : '... in a heavily-restricted subset of the Ada programming language — the only currently-existing nonproprietary statically-compiled language which permits fully bounds-checked, pointerolade-free code and practically-auditable binaries. We will be using GNAT, which relies on the GCC backend.'
asciilifeform: and add to this, that it has an actual paper standard, and minimal 'implementation-defined' rubbish (tho sadly not zero)
ben_vulpes: experiments from the kitchen, im sure more variants with chocolate will appear as soon as i mention the idea
mircea_popescu: generally the alfajor as a commercial item is two wafers, ddl in betrween, whole dipped in hard chocolate.
ben_vulpes: mircea_popescu: the .htaccess files included with/generated by mpwp include the `Allow` incantation, which is not a thing in apache 2.4; trilema purports to run on 2.4.16; can the Order/Allow incantations be replaced with the 2.4-style Require?
mircea_popescu: ben_vulpes wp doesn't actually care how .htaccess is implemented ; only that it works.
ben_vulpes: huh danielpbarron mentioned to me that it writes the permalinks into .htaccess, this is not so?
ben_vulpes has yet to put rubber to road on this, still researching
mircea_popescu: ben_vulpes all the Order deny,allow Deny from all Allow from x thing does is lock out by ip ; it's not even generated by wp itself ; it can be implemented any way, iptables, csf, whatever.
ben_vulpes: in other modern scotchguardlifeamericana, these "100% cotton!" napkins are clearly coated with some heinous anti-absorbent "nanotech". yes, works to wipe crumbs off toddlerface but holyfuck is aggressively and annoyingly nonabsorbent.
a111: Logged on 2018-04-12 16:12 zx2c4: things like RSA boil down to number theory problems. but that's in a sense scarier than the set of problems that good block ciphers tend to boil down to. because it means that those primitives have lots of _structure_, and generally structure is something that can be exploited. just look at all the amazing and fantastic attacks on things with structure. so just boiling down to a [currently considered] "hard problem"
a111: Logged on 2018-04-12 16:13 zx2c4: but even hardness of factoring... how hard is this actually? what number theoretic advances are right around the corner?
mircea_popescu: http://btcbase.org/log/2018-04-12#1797142 << understand, the discussion here is re cryptographic hardness, not mathematical hardness ; as discussed otherplaces in the logs, the mathematical notion of difficulty is "what's the absolute hardest case this problem can yield", because they want to offer maximal flop guarantees ; cryptographically it is kinda opposite : what's the LOWEST difficulty a problem in this class may yield
a111: Logged on 2018-04-12 16:15 zx2c4: shape packing?
mircea_popescu: . because they want to put a MINIMUM floor in. so to a large degree mathematical discussions of hardness are not cryptographically useful.
asciilifeform: ftr i got ~nowhere re: a proper approach to cryptohardness.
asciilifeform: and afaik nobody's made any progress re subj since john von n.
BingoBoingo: Now, there's also "alfajores integrals" where a birdseed paste is smashed between two birdseed wafers, but those cost ~70 pesos whereas alfajores verdaderos costs 20-30 pesos
ben_vulpes: im generally suspicious of food from plastic bags
asciilifeform: http://btcbase.org/log/2018-04-12#1797536 << we may have had the thread iirc, but : cryptographic 'lowest difficulty' is inescapably statistical, considering that there is a nonzero and calculable probability of guessing a key ( under any system which is not otp, i.e. correct key is somehow distinguishable from the space of possible rubbish key )
a111: Logged on 2018-04-12 18:10 mircea_popescu: http://btcbase.org/log/2018-04-12#1797142 << understand, the discussion here is re cryptographic hardness, not mathematical hardness ; as discussed otherplaces in the logs, the mathematical notion of difficulty is "what's the absolute hardest case this problem can yield", because they want to offer maximal flop guarantees ; cryptographically it is kinda opposite : what's the LOWEST difficulty a problem in th
asciilifeform: so what you'd want to prove is that there exists ~no~ method more effective than brute guess, for $system.
asciilifeform: ( 1 possible variant formulation of this : you want to prove that it is not possible to quickly skip over any portion of key space )
mircea_popescu: http://btcbase.org/log/2018-04-12#1797184 << you definitely should do that, seeing how the superficial "was reviewed" claim collapses upon the most cursory scrutiny. this is not a good state to put yourself into, it makes it too easy to be painted with unflattering brushes.
a111: Logged on 2018-04-12 16:25 zx2c4: i havent compiled a list of Name+WrittenReview. maybe i should do that
mircea_popescu: i dunno what your experience with "peer review" is, but as far as anyone involved is aware, exactly no review goes on in those circumstances. see sokal & all.
mircea_popescu: !#s "Transgressing the Boundaries: Towards a Transformative Hermeneutics of Quantum Gravity"
asciilifeform: mircea_popescu: blake2 is bernstein's hash ( consists of a slightly modified chacha, his symmetric algo )
mircea_popescu: i know, i know. just saying, "we picked the non-chosen candidates at random, go sue."
asciilifeform: i've no particular objection to snake oil from king cobra vs from japanese viper; but as i observed earlier, the sudden popularity of bernsteinism has never been explained to my satisfaction.
avgjoe: "Requests that `amount` be withdrawn from your available balance and sent to `to-btc-address`. This step shall be performed by a human operator after reviewing account history. Expect at least one day of processing. Bitcoin transaction fees shall be deducted from your account."
trinque: only airgapped wallet, and human meat that cuts transactions
ben_vulpes: trinque: dude has a point, self-referential though it might be faq.html would benefit from an "i am trinque, and have been running this service for members in good standing of the #trilema wot and others before it since XXX"
trinque: depends on whether I think people oughta come in through existing users, or not
avgjoe: after seeing that raiblocks was just some random coin, i tried to understand better bitcoin and found trilema as a very valid starting point, no-frills like, to use bitcoin in a responsable manner
lobbes: I was going to hop on to state this very point, but alf beat me to it so I will simply underline and point to trilema article referenced twice above. My own trust for various people (read: cryptographically backed identities) in here was not immediate, but evolved over the 4 years I've spent interfacing with said people. >> http://btcbase.org/log/2018-04-12#1797719
a111: Logged on 2018-04-12 19:23 asciilifeform: avgjoe: understand, 'looking up' tells you just about nothing if you do not have any existing trust of any of the people who wrote the item you are 'looking up' in.
spyked: trinque, yeah, I'm actually playing with cl-feed-parser to get an idea of what's required for the feed bot, going to spec it and all. I grabbed it off the githubs ( https://github.com/tkych/cl-feed-parser ) and the number of dependencies is irksome, so if you happen to know a better alternative other than building my own, I'm open to suggestions
trinque: nope, current thing is a sad pythonball hanging off the side.
spyked: okay then, I'm gonna work it off this. it'd be enough to replace the "drakma" http client with something lighter, and I'd already cut about half of it. the dependency tree leads to two xml parser libraries being used (plus other redundant stuff).
spyked: whole thing's a mess, but I'm organizing the code so that I can eventually replace it with something else.
trinque: a muntzed drakma would be a fine thing, I'd sign
spyked: zx2c4, I've been looking over the tamarin protocol verification paper and I'm curious, what does "symbolic verification" mean? also, what's the thing's output? is it just a "yes, properties hold" or does it also output the proof?
spyked: more to the point, this is similar to asciilifeform's "auditability" question. is there a way to obtain a (ideally human-readable) set of deductions out of the prover?
asciilifeform: spyked: if you recall, back in the 'minsky age', that was the initial attraction of mechanical 'reasoners' -- discovery of ~simple~ inferences
asciilifeform: unfortunately it never went far beyond 'rediscovered pythagor's theorem'
asciilifeform: but this was enuff for the tech to find its way to the cargocultists.
asciilifeform: ( and i dun think i need to explain that the mecha-proof is ~meaningless~ without reading the claimed verifier )
asciilifeform: spyked: in re proof machines, i'm much moar interested in items like ACL2 , where you can affix your hand-written program to a hand-written proof of correctness in a mechanically-reliable way
asciilifeform: ada's spark is a similar, if somewhat uglier/bulkier, thing
asciilifeform: in any case fits-in-head MUST come ahead of 'proofiness'.
ben_vulpes: i think it puts the water in the wrong place. you get dry, hot air which you'd then have to cool and compress into the engine and cold wet air (possibly with the water condensed out entirely with a spigot)
asciilifeform: ben_vulpes: there is of course another way to get dry air
asciilifeform: above certain temp, water cannot exist, only h2, o2
asciilifeform: spyked: sorta how it is ~impossible to write a prolog proggy without several times ending up asking machine np-hard question.
asciilifeform: spyked: i dun have anything against mechanical proof per se; but it is NOT a substitute for fits-in-head, because there is nor cannot be any such substitute. and the mass of the theorem-verifier is to be included with the mass of the program, for the purpose of 'is this head-fittable'. but possibly i repeat old thread.